Windows RT Jailbroken To Run Third-Party Desktop Apps

An anonymous reader writes "We all knew it was just a matter of time, now it looks like Windows RT has been Jailbroken. From the article: 'The hack, performed by Clokr, exploits a vulnerability in the Windows kernel that has existed for a long time — since before Microsoft ported Windows from x86 to ARM, in fact. Basically, the Windows kernel on your computer is configured to only execute files that meet a certain level of authentication. There are four levels: Unsigned (0), Authenticode (4), Microsoft (8), and Windows (12). On your x86 Windows system, the default setting is Unsigned — you can run anything you like. With Windows RT, the default, hard-coded setting is Microsoft (8); i.e. only apps signed by Microsoft, or parts of Windows itself, can be executed.'"

Non Sequitir

[recoiledsnake]

Microsoft locked Windows RT down because it wanted to slowly get rid of the Win32 cruft dating back to the 80s and 90s. That cruft does exist now and is used to run things like Office and Notepad etc. but Microsoft can easily rewrite them in the future. What will happen to Putty, VNC and the like then? They will break,and then again we will blame Microsoft for it. That's the reason to lock it down.

Re:Non Sequitir

Microsoft locked Windows RT down because it wanted to slowly get rid of the Win32 cruft dating back to the 80s and 90s.

Yeah, it's all about freedom from backwards compatibility and legacy code!
Wanting to be like Apple and get paid every time a customer installs any software has nothing to do with it.

Re:Non Sequitir

[Big+Hairy+Ian]

MS locked it down so you could only run apps you bought from the app store same reason apple locks theirs down. I suspect atleast with MS upgrade probably patches wont turn your unlocked tablet into a brick.

Re:Non Sequitir

[tripleevenfall]

Good news, the Surface will never "brick".

(It will just become a more literal interpretation of the word "tablet")

Re:Non Sequitir

[JDG1980]

Microsoft locked Windows RT down because it wanted to slowly get rid of the Win32 cruft dating back to the 80s and 90s.

If Microsoft gets rid of the "Win32 cruft dating back to the 80s and 90s", then there will be no reason for anyone to choose Windows over any other operating system. Legacy compatibility and a huge installed base of applications are Microsoft's primary competitive edge, but Ballmer seems to have forgotten this in his Ahab-like quest to chase down Apple.

That cruft does exist now and is used to run things like Office and Notepad etc. but Microsoft can easily rewrite them in the future.

If Microsoft could have ditched legacy API usage for Office that easily, I think they would have done so already in the first release of Surface. At this point, the Office codebase is probably so FUBARed with 20+ years of spaghetti code and the need for backwards compatibility with 500 different document types that I doubt they could rewrite it completely even if they wanted to. Office for MacOS is almost a completely different product, done by a separate business unit. And if Microsoft ever releases a slimmed-down "Office" for iOS and/or Android, then those products will probably be written from scratch, and will not be 100% backwards compatible with anything other than OOXML.

(Of course, any competent programmer could write a better version of Notepad in a month, so that's really not a factor.)

Re:Non Sequitir

[shutdown+-p+now]

If Microsoft gets rid of the "Win32 cruft dating back to the 80s and 90s", then there will be no reason for anyone to choose Windows over any other operating system. Legacy compatibility and a huge installed base of applications are Microsoft's primary competitive edge

We are talking specifically about Windows RT running on ARM here. There's no legacy compatibility story to begin with, even if the restriction on MS-signed-only desktop binaries weren't there in the first place.

Re:Non Sequitir

[cbhacking]

Office for Mac and Office for Windows are at least 70% the same code, and that was a few years ago. They were targeting 90%, I believe. Already, all of the document rendering/layout/document format code (at least for 2010/2011) is supposedly identical, just recompiled for OS X. The GUI and certain features specific to each platform obviously must be different, and there's a compatibility layer which abstracts the core APIs used by Office from the OS they run on (supporting things like using the Windows Common Controls on Win32 to display file open/save/print/etc, and using the analogous controls on OS X when on that platform) and that compatibility layer obviously needs to be platform specific.

Re:Non Sequitir

[hairyfeet]

Actually the reason they locked it down was because "What does Apple do? Well do that and charge 20% more because we are better than them dammit!". If you want to know more look up the "Windows Blue" memo which makes it clear the ultimate goal of Win 8 and above is to have only MSFT approved software running on MSFT hardware sold at MSFT stores for MSFT profit margins and...well that's pretty much it.

Windows Blue shows any original thought left the company ages ago and now they are gonna try their favorite gag of using their position in one market to force their way into another, the old IE trick, only they just don't have the power of the monopoly anymore as people don't rush out to buy the latest version like they did during Win 9X.

Of course the bigger question of TFA is why, why would anybody care? WOA is a complete and total failure, they had to call the factory and cut their order in half to keep from having a warehouse full of surface units so what is the point? The hope that all these surface units will end up on Woot! for $99? I think with the Ballmernator's ego he'd bury them in a landfill in NM rather than admit its a flop, just as he counted every Vista downgrade as a Vista sale to pad the numbers.

Re:Non Sequitir

[shutdown+-p+now]

In which context it makes even less sense and just sets up WoA as a separate product, not another facet of Win8.

That's exactly how it is intended - which is why it's called "Windows RT", and not "Windows 8" in the first place.

Even selling some kind of "WinRT Enterprise" with this switch set to enabled would probably give them a nice boost for initial adoption - right now corporations thinking about migrating to mobile have to choose whether to rewrite their internal apps for Java, Obj C, .Net, Lua/JS with a crossplatform framerwork or HTML5 and backend, when they could have an easy option of "Recompile it for now and rewrite to Metro part by part in the meantime"

Most enterprises that want to run their existing apps on a mobile device would just get an Intel-based tablet and be done with it.

Note that you kinda outline the problem yourself: even if you can enable RT to run arbitrary desktop apps, you need to recompile not just the apps, but also all the supporting libraries/frameworks. E.g. you can't run Java apps until someone takes JRE and builds it for ARM (and it's not going to be trivial, since JIT mucks around with assembly directly). It would need to be prominently supported for several years before there's significant uptake in porting that would make it viable for enterprises to consider - and why bother?

Re:Non Sequitir

[tftp]

And how many of those would choose Windows in the first place?

Quite a few, if you count how many F/OSS applications are available on Windows. Majority of customers are not even in control of what OS they are running. If GIMP or Dia or OpenOffice are not available on Windows then it's like they are not available at all. Developers generally care about their customers, even though they may express no joy about the need to compile their product using a not quite compatible toolkit. It's always simpler to publish a tarball with sources and call it done. But that's not how most people install the software.

Re:Non Sequitir

[VortexCortex]

If Microsoft gets rid of the "Win32 cruft dating back to the 80s and 90s", then there will be no reason for anyone to choose Windows over any other operating system. Legacy compatibility and a huge installed base of applications are Microsoft's primary competitive edge

We are talking specifically about Windows RT running on ARM here. There's no legacy compatibility story to begin with, even if the restriction on MS-signed-only desktop binaries weren't there in the first place.

You may have failed to realize that Win32 doesn't mean 32 bit windows API. It simply means "Not the old 16 bit API" I write all my widgets from scratch, and I talk to OpenGL directly, no SDL, no freeglut3, no MFC, just straight Win32 and OpenGL to make the lightest weight most efficient programs, even on 64 bit systems. It's crazy as hell to do this, yes, yes, I'm glutton for punishment, ha ha, you jest, "re-invent every wheel", I know, but game developers are allowed to throw away every best practice in the name of performance... Besides, you don't see wagon wheels on a formula-1 car, eh?

That is to say, Win32 can be compiled on ARM, and then I compile my code that uses the Win32 API to get a window and event loop, and the "legacy" compatibility isn't an issue. Event pumps and windowing callbacks are going to exist no matter what API they build. If you're talking cruft, then it's that COM stuff and .NET and MFC and all the other stuff that's built on top of win32, not win32 itself.

IMO, Win8 is about MS trying to sandbox programs via VM (C#) and simultaneously provide cross platform support while taking a cut of every software sale made. Now, I'm not going to eat that app-store cost. You are. I'll just raise my price accordingly on MS's market to offset those fees... Sucks, but C'est la vie. If MS continues allowing "side-loading" then they can't force developers like me to sell programs in their store -- C/C++ is cross platform, and so is my code, so I just rebuild the binary for each target platform, it's not a big deal. Rebuilding everything in C# and suffering that vendor lock-in cluster fsck is really off-putting, considering my C code runs across the board on every chipset, even MIPS, and every OS (thanks to OS abstraction layer, and a bit of meta-programming for iOS and Android)... No such luck with C#, yet.

That's where MS wants to take their market -- Incompatibility land. IMO, I wouldn't play their shenanigans unless I had to, I don't think OS choice should limit software choice (and I don't think hardware choice (beyond performance) should limit OS choice. This is shit we had well and good SOLVED in the 70's. MS sees the road ahead: The bright future where all programs are cross platform -- The road to OS irrelevance -- they hate that future, they hate your freedom to choose to run any OS on your hardware. Hence SecureBoot (Which I've said time and again is Pointless), Hence C# only in App Store & XBL Indie Games, hence blocking any apps that aren't signed by MS, and not allowing users to add their own trust certs to the OS / Hardware. The jig is up. W8 is just one more battle in the Vendor Lockin war.

I don't mean to pick on MS, Apple is going down the same road with an app-store route for their desktop too. GNU/Linux, BSD, Android, and other FLOSS OSs are the only ones that get the software repository system done right, and not even stock Android allows user installing a new / additional cert trust (recompile). This is a fight over developers, it's the applications that matter, OSs have been irrelevant for quite some time now. It's only a matter of time -- MS can't win this one, they couldn't write secure code to save their ass, which is exactly what they'd need to do.

Re:Non Sequitir

[shutdown+-p+now]

You may have failed to realize that Win32 doesn't mean 32 bit windows API. It simply means "Not the old 16 bit API"

I don't fail to realize anything - I know perfectly well that Win32 is a cross-architecture API. My point was that, from users' perspective (and especially for enterprise users, which is what GP was referencing), the compatibility story is nil because there are no existing apps that would run. Sure, most apps are just a recompile away, but someone would have to make that recompile.

IMO, Win8 is about MS trying to sandbox programs via VM (C#) and simultaneously provide cross platform support while taking a cut of every software sale made. Now, I'm not going to eat that app-store cost. You are. I'll just raise my price accordingly on MS's market to offset those fees... Sucks, but C'est la vie. If MS continues allowing "side-loading" then they can't force developers like me to sell programs in their store -- C/C++ is cross platform, and so is my code, so I just rebuild the binary for each target platform, it's not a big deal. Rebuilding everything in C# and suffering that vendor lock-in cluster fsck is really off-putting, considering my C code runs across the board on every chipset, even MIPS, and every OS (thanks to OS abstraction layer, and a bit of meta-programming for iOS and Android)... No such luck with C#, yet.

Just FYI, Store apps are not required to be managed. You can write 100% native apps in C++ for it - no VM, no GC.

(Yes, it does use language extensions for system APIs, although even those are optional. And yes, those extensions do look like C++/CLI. Nevertheless, they work differently, and they don't compile to managed code.)

Hence C# only in App Store & XBL Indie Games

Store apps don't support XNA. In fact, pretty much the only way to write a game for Win8 Store right now (unless it's something so basic that you can make do with XAML or HTML5) is to use C++ and Direct3D.

Re:Non Sequitir

[cbhacking]

Visual Studio 2012 (including the free Express variants) can compile for ARM. In fact, they have to, otherwise you couldn't write native apps (games, usually) for Windows RT at all. .NET code and HTML5+JS apps will run natively on RT without recompiling, but C++ apps - which is how most games are written, and some other software - require a recompile. It's trivial to do this recompile in VS, though - there's a drop-down option to build for x86, x64, or ARM.

Now, with that said, by default Visual Studio won't let you build an ARM *desktop* app, only a "Windows Store" (The Interface Formerly Known As Metro) app. This is very easy to work around, though - you either need to set one #define (or /D in the build command) or change the relevant header (the error tells you which one) and also change one XML build configuration (again, you'll get an error telling you which one). The instructions for doing so have been posted on XDA-Developers for months.

Re:Non Sequitir

[Darinbob]

But they don't really do what Apple does. The "App Store" on my Mac is only accessed by a simple text menu entry under the Apple menu. Unlike Windows 8 metro, I never see any applications pointing me to the store, I don't get any applications tell me that they refuse to run without my having an Apple ID, and I can download and run software I get from anywhere on the web.

All the users will be happy.

All 3 of them.

Re:All the users will be happy.

Dude, this stupid meme is getting fucking old. Just quit, it's not funny anymore. I know for a fact there is at least double the amount you quote that are using it.

Not a Jailbreak

[0x15e]

This may border on being pedantic, but I'd call this a crack instead of a jailbreak. It sounds like they're just patching a kernel value ... not breaking out of a jailshell.

I expect MS will probably just find a way to patch it up in the near future.

Re:Not a Jailbreak

[jkrise]

I'd call this a crack instead of a jailbreak

In other words, the most commonly employed method by 'pirates' to get software for free to run on Windows systems?

I have personally not used Windows8 at all; but I hear from a local PC vendor that with Win8, you cannot get 'cracked' copies of Win8, but only 'cracked keys' to activate the damn thing; for kids who must have the latest OS at any cost on their PCs.

I expect MS will probably just find a way to patch it up in the near future.

No. I have seen MS for about decades now; they seen to think "If you're gonna pirate s/w; then pirate our s/w, or code that runs on Windows; don't take the trouble to learn other OSes or products".

Re:Is there a way to use this to install Linux?

[djsmiley]

Theoretically you could run some kind of shell on there, so yes, you could run android or linux, but it'd still be running within windows.

And yes, you'd need to flip this bit each time you booted.

What is more interesting is the fact you maybe able to completely rewrite the whole thing; getting rid of windows entirely...

Re:well then the appstore will NEED NO censorship

[tripleevenfall]

"Need" implies there are people using it, which is a conclusion we might want to take off our mat for the time being.

Re:What is Windows RT?

[Joce640k]

The fine article has a big link in the first paragraph: "What is WIndows RT?"

Oh, wait...

Crack, Rip, Hack, Jailbreak ...

[bill_mcgonigle]

"Windows RT Gains Solution to Allow Customers to Run Any Software They Choose"

And we wonder why people don't "get" Software Freedom. Somebody please remember to name the next software-freedom work-around "murder" just to keep the bad PR going.

Re:Developing Applications

[Dudds]

Windows RT contains a complete Win32 API environment (all the standard DLLs are there: kernel32.dll, user32.dll, etc).

Visual Studio 2012 comes with the ARM compiler, so building executables is fairly easy. The restriction, to not allow ARM Win32 applications, only came late in the development cycle, so it's really only hacked in. Visual Studio will even allow native development for ARM applications, going as far to remote debugging the application, by simply adding a "enabled" setting to the ARM manifest file.

The Windows RT SDK for building executables is not required to link existing applications, only a library file is required and that is easily built (in the XDA thread, a tool was posted that builds library files from live DLLs).

Re:Whitelisting of a sort (& the future of sec

[iamgnat]

Except the problem with your whole premise is that you forget the user.

Basically Apple "whitelists" what Apps can run under iOS (and are clearly moving that way for OSX too), yet people rail against it and even go so far as to remove the "whitelist" (e.g. jailbreak).

The problem comes down to who does the vetting and testing of an application to add it to a whitelist? If it is the user, they've proven they can't be trusted because they'll "vet" any new screensaver/antivirus/cursor application that comes along. If it is a central organization (Microsoft/Apple/Google/etc..) you then run into conflicts of interest in what they think you should do with the platform and what you actually need/want to do (e.g. what happens when you have a problem that can't be solved by any existing approved application?).

There is no simple single solution to the problem of security. A real solution by nature needs to be multilayered which means there is some complexity and ultimately users have to take responsibility for their actions. The idea that a single company/program can keep you safe just keeps perpetuating this idea that you don't have to pay attention to what your are downloading/executing and it's that mentality that allows malware to continue to be so successful.

Summary continuation

[Translation+Error]

Since the summary ends before actually getting to the vulnerability it started to describe, here's the relevant text:

Now, in theory, you could change this hard-coded setting--but all Windows RT devices use UEFI, and so Secure Boot detects the altered code and locks the system down. Secure Boot doesn't stop you from changing the setting in memory, however

Re:Is there a way to use this to install Linux?

[Zero__Kelvin]

"Android's compatibility with standard GNU-based Linux platforms is extremely weak."

Due in no small part to the fact that there is no such thing as a standard GNU/Linux distribution. If you had experience developing for Embedded Linux systems you would realize how unfounded your "complaint" is. We have been using Busybox and non-glibc libc for over a decade.

Re:Is there a way to use this to install Linux?

[Microlith]

Due in no small part to the fact that there is no such thing as a standard GNU/Linux distribution.

No, due to the fact that they eschew GNU entirely, which is actually pretty common across Linux distributions with the sole exception of Android.

If you had experience developing for Embedded Linux systems you would realize how unfounded your "complaint" is. We have been using Busybox and non-glibc libc for over a decade.

I'm aware that Embedded Linux don't use glibc, they tend to use uClibc or (worse) something proprietary.

But Android is still deliberately separated from GNU/Linux platforms because Google wanted to control it all and cater to handset vendors that don't like having to comply with the GPL.

Re:well then the appstore will NEED NO censorship

[hairyfeet]

I think this article linked through TFA reviewing the WOA appstore sums it up nicely "But for now, x86 compatibility isn't just a check box: It's a doorway back to a land of sanity.". Kinda sad they are actually charging more than iPad for Surface when its quite obvious just from reading the reviews their appstore is completely broken and worthless.

BTW it may be a little petty of me, but since i called it months ago that the WOA and Win 8 appstore would be a trainwreck, since they couldn't make GFWL functional after years and a competitor that would be easy enough to copy they sure as hell wouldn't be able to pull off an appstore for a different arch so I'd like to say "I told you so" to those that doubted me and do the dance of smug superiority.

Re:"Metro" is a Walled Garden

[cbhacking]

Ummmm.... no. You can sideload "Metro" applications just fine (after running one command to unlock this capability). The packages must be signed, but they can be signed by anybody (including self-signed), so long as they chain to any trusted certificate. Visual Studio generates an install script for the package that checks whether its (also auto-generated) signing cert is trusted, and if not, offers to install the cert for you. You can also do so manually (just double-click the cert file and follow the usual import steps).

So, .APPX (Metro application bundle) files don't require "Microsoft" signing level. What about the binaries they contain, though? It turns out that those don't need to be signed at all. At least a month back, a different branch of the "run everything on Windows RT" project bore fruit; we could run "desktop" apps within the AppContainer of a "Metro" app. (WinRT isn't supposed to include the APIs to launch new processes directly, but you have to be linked against the system call interface on Windows anyhow, which means it's possible to just scan the address space for the NtCreateProcess entry point and call it.) These apps don't have to be signed *at all* even without anything like the hack posted here. They run with low Integrity Level and have (by default) extremely limited permissions (access the System32 directory, their install directory, and their data directory, and only the last of those with write permissions), but they do not have to be signed.

Re:Based on the little I know...

[cbhacking]

Self-reply with more info...

There is some code injected, but it's injected into the user-mode process CSRSS.EXE using the debugger, not injected into the kernel. The injected code modifies a struct which is then passed as a parameter to the kernel via a system call. This call can only be made by the CSRSS (Client/Server Runtime SubSystem) process, and the kernel "trusts" it more than it should (lack of sanity checks on the parameters). When the kernel processes the modified struct, it will change the required signing level flag within the kernel.